Time to review critical security controls

Apr 28, 2017

Recent incidents have highlighted the need for all companies and organisations to review the safety and security of their data and their IT systems, as standard approaches no longer protect against myriad vulnerabilities, an expert says.
“Even the highest judicial office in the land, that of Chief Justice, Mogoeng Mogoeng, is not immune. Regardless of the source of the attack, about which there is much speculation, the fact remains that the office, which has security and cameras on the premises, suffered a major setback recently when several computers – containing highly sensitive information – were stolen,” notes Wonga Ntshinga, senior head of programme: Faculty of ICT at The Independent Institute of Education.
Ntshinga says many companies and organisations may be under the impression that its data and systems are adequately secured, when in fact that is not the case at all. It is therefore important for business leaders to take some time to ensure that arguably their most important non-human assets and resources are effectively protected against a range of potential attacks – both internal and external.
“The challenge is that it is very difficult to quantify the value of assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. Besides the obvious steps, such as getting a comprehensive inventory of all network devices and software, leaders should also ensure that critical security controls are in place to protect sensitive data, and make provision for scenarios in which the security control itself is compromised,” says Ntshinga.
He says it is crucial that sensitive information is protected at three stages: at rest (data needs to be protected whilst being stored on the storage device), in transit (data needs to be protected as it is being transported) and in process (when the data is being processed).
Ntshinga says that in order to ensure a comprehensive protection strategy, companies must consider incorporating the following approaches to safeguard intellectual property:
* Vulnerability management – This service is intended to perform live monitoring of the environment for emerging vulnerabilities and also to execute regular in-depth assessments to identify new weaknesses, for instance insufficient or weak security controls.
* Access control – Complex access control is needed to enforce separation of duties through assigned access authorisations. The principle of separation of duties is intended to minimise errors and make it more difficult to exploit access privileges for personal gain. This can even go into the level of whether a specific user has updated access to a particular file while executing a specific programme from a workstation at a specific network address.
* Information security policy – Policies are essential as they set the foundation and tone for a security programme. Documents such as the Information Security Policy or an associated standard needs to be set in order to better understand the real exposure and the real problem – ie: what is or could become the root cause for attacks?
* Acceptable risk – Risk can be defined as the expected loss of confidentiality, integrity, availability, or accountability. You need to understand that not all risks are the same, hence it is important to evaluate them so as to decide which to prioritise. Look at your organisation through the lens of “acceptable risk” and continuously measure the efficiency and effectiveness of your security programme, which is comprised of the following building blocks: policies, standards, guidelines, procedures and baseline.
* Risk-based model – Risk-based models provide direction for focusing on most critical exposures and also prioritising risk mitigation. If you don’t already have a risk model, immediately adopt a simple qualitative risk model and start prioritising your risk activities (Low, Moderate, High). Set up an organisational risk committee to assess risks across the entire organisation. The committee must look into deviations of any security risk management programmes that have been implemented and, if needs be, propose some corrective measures to address the deviations.
“Risk management can be an overwhelming task if tackled using only one methodology and ideally requires a strategy which addresses the entire scope of risks within an organisation,” says Ntshinga.
“Additionally, critical security controls can be costly and therefore they require funding through annual security operating budgets. Ultimately, the security professionals need to understand what each service provider does in order to mitigate the risks, and data security should not be approached in checklist fashion.”
Ntshinga says while it is unfortunate that not every risk can be pre-empted and disarmed, attempts to holistically tighten controls can unravel some of the risks that organisations face.
“Most importantly, senior leaders of organisations – whether public or private – must take ownership of security, even (or perhaps especially) where there is a perception that adequate protections are in place.
“They must ensure that they thoroughly identify and analyse potential risk, and then put in place adequate mitigation. Additionally, it is important to be well versed on the current legal environment in order to minimise an organisation’s liability and reduce risks from electronic and physical threats, including losses from legal actions.”